LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-22-2010, 03:35 PM   #1
bobby953
Member
 
Registered: Mar 2009
Posts: 41

Rep: Reputation: 15
Do I need to forward port for IP-Based Virtual Host to work ?


Having trouble visualising how IP-Based Virtual Host (with SSL) would work. Here is my vhosts.conf file:

Code:
#Define Name Virtal Host
NameVirtualHost 10.10.0.54:80

#Used to replace the main server host. The log file will reside in /var/log/httpd/error_log
<VirtualHost 10.10.0.54:80>
        ServerAdmin webmaster@domain1.ca
        DocumentRoot /var/www/html/domain1
        ServerName domain1.ca
        ErrorLog /var/log/httpd/domain1/error_log
        CustomLog /var/log/httpd/domain1/access_log common
</VirtualHost>

<VirtualHost 10.10.0.54:80>
        ServerAdmin webmaster@domain2.ca
        DocumentRoot /var/www/html/domain2
        ServerName domain2.ca
        ErrorLog /var/log/httpd/domain2/error_log
        CustomLog /var/log/httpd/domain2/access_log common
</VirtualHost>
I want to host a coupld of websites with SSL. So I can, using ip aliasing create two virtual interfaces: eth0:1 and eth0:2 and assign to them 10.10.0.55 and 10.10.0.56 respectively. Now, my question is, will I have to forward port 443 to 10.10.0.55 and 10.10.0.56? I can't forward a port to two ip's at the same time.

Let's say I just want to host one website with SSL. If I do

Code:
<VirtualHost 10.10.0.55:443>
        ServerAdmin webmaster@domain3.ca
        DocumentRoot /var/www/html/domain3
        ServerName domain3.ca
        SSLEngine On
        Other SSL Directives ....
        ErrorLog /var/log/httpd/domain3/error_log
        CustomLog /var/log/httpd/domain3/access_log common
</VirtualHost>
How will it work? I will need to forward port 443 to the 10.10.0.55 interface right? Without doing that, there is no way this is going to work... is there? And that means that I can't run more than 1 ip-based SSL virtual host on one machine because I can't forward 443 to two different interfaces.

Also, do I use internal ip address or external ip address in the <VirtualHost > tag? I only have one static public ip.

Thanks for all your help in advance
 
Old 03-22-2010, 03:44 PM   #2
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,200

Rep: Reputation: 397Reputation: 397Reputation: 397Reputation: 397
multiple ssl certs with one public ip is a huge mess i have had first hand experience with this
why?
because with ssl the tunnel (eg which cert to use) has to be established BEFORE http headers are sent (which host to use), hence by domain alone you are going to get the first virtual host that hits and routing to virtual ip based on domain can't happen either because the encryption has to happen before such negotiations occur
gnutls on apache can semi solve this with SNI (server name identification) but its compatibility with browsers is severely limited (windows vista or higher with ie7 or opera) and firefox
and yes you would need port forwarding but from one separate public IP for each domain otherwise a multi domain or wildcard cert (for multiple subdomains of the same domain) would be necessary unless you have more then one public ip per domain
otherwise you will have to use separate ports and one of the sites will force the end user to explicitly type the port in the url which isn't exactly the best practice

Last edited by frieza; 03-22-2010 at 03:48 PM.
 
Old 03-22-2010, 03:51 PM   #3
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 249Reputation: 249Reputation: 249
Your static external ip is the one you link to SSL, so no, you can't have two virtual hosts sharing 1 static ip address. You could however have a shared SSL site which both virtual hosts use.
Can you get another static ip from your isp ?

Last edited by smoker; 03-22-2010 at 03:52 PM.
 
Old 03-22-2010, 04:10 PM   #4
bobby953
Member
 
Registered: Mar 2009
Posts: 41

Original Poster
Rep: Reputation: 15
Thanks Frieza and smoker for prompt reply. So one SSL site per public ip. Got it. I've got one questions about ip-based virtual hosting (forget the SSL part in this case). I know with named based virtual hosting, the http header is read to determine which domain the request is coming in for.

With ip-based virtual hosting, http header is read for what info? Apache needs what info from the http packet? Just the ip right? Let's say I have two ip based virtual host running.
Code:
<VirtualHost 68.129.56.145:80>
        ...
</VirtualHost>

<VirtualHost 68.129.56.146:80>
        ...
</VirtualHost>
If I used internal ip address instead, this won't work right?

Code:
<VirtualHost 10.10.0.54:80>
        ...
</VirtualHost>

<VirtualHost 10.10.0.55:80>
        ...
</VirtualHost>
If someone could just summarize how packets will eventually come to my interface and how apache will determine which virtual host to read from, I'll greatly appreciate... I read apache document but they don't even tell whether to use external or internal ip...

Basically what I want to know is can I have multiple ip-based virtual host running on one public ip? thanks a lot again

Last edited by bobby953; 03-22-2010 at 04:24 PM.
 
Old 03-22-2010, 04:38 PM   #5
smoker
Senior Member
 
Registered: Oct 2004
Distribution: Fedora Core 4, 12, 13, 14, 15, 17
Posts: 2,279

Rep: Reputation: 249Reputation: 249Reputation: 249
Quote:
Basically what I want to know is can I have multiple ip-based virtual host running on one public ip?
Why would you want to ? (even if you could)
As you say, apache can read the headers to see which host to send requests to, so it doesn't need an ip address.
We call these name based virtual hosts.
If it's ip based it needs to be public ip based.
You can bind multiple ips to one hardware device but again, if you only have 1 public ip it's a waste of time and a place for problems to occur. You also need more than the usual crappy isp provided router to link multiple ips to one device.

You only need public ips for SSL and anonymous FTP. The rest can be name based with no ill effects.

Don't forget the world is running out of ipv4 addresses so the less you use the better.

Last edited by smoker; 03-22-2010 at 04:41 PM.
 
Old 03-22-2010, 05:30 PM   #6
bobby953
Member
 
Registered: Mar 2009
Posts: 41

Original Poster
Rep: Reputation: 15
So the real advantage of ip-based virtual hosting is to consolidate your web servers.

And for ip-based virtual hosting, number of public ip's need to match number of internal ips / physical interfaces (or we could use ip-aliasing). Alright, I understand it now. Thanks a lot smoker
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Forward port 80 for all traffic except to certain host/network fantasygoat Linux - Networking 3 12-04-2009 01:08 PM
Name and IP based virtual host in Apache hifun Linux - Newbie 5 06-17-2009 02:06 PM
Forward port 80 connections to a vmware-based webserver? MheAd Linux - Server 5 12-31-2008 05:59 AM
Adding virtual interface for IP based virtual host pridefc Linux - General 6 03-16-2008 04:52 PM
How to configure the virtual host based name? gz_xmg Linux - Networking 0 12-28-2004 02:12 AM


All times are GMT -5. The time now is 12:46 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration